PDF malware analysis — malicious · 7271414581236284

MALICIOUS

PDF

235.8 KB Created: 2010-02-22 19:20:30 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: db8200787fef234eedad11461023c6c7 SHA-1: cfa73df5931a6bc023eefd9f8472302f0aa2c556 SHA-256: 72714145812362842a33a67c84901d60634cb749875b3581e0c8173bab7e1ee6

132 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The PDF file was flagged by ClamAV as Pdf.Exploit.Agent-19990 and a machine learning classifier indicated a high probability of maliciousness. It contains a hidden iframe pointing to external URLs, suggesting it is designed to download and execute a second-stage payload. The embedded URLs are suspicious and likely serve as the distribution points for the malware.

Machine Learning

Nyx PDF Classifier malicious score 0.9482

Heuristics 3

ClamAV: Pdf.Exploit.Agent-19990 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-19990
PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME

PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://fuadrenal.com/lib/index.php
- http://reycross.com/lib/index.php
- http://odmarco.com/lib/index.php
- http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_002_off0000b9ed.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xB9ED	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.